Summary of the invention
The embodiment of the invention provides a kind of distributed denial of service attack means of defence, system and equipment, to ensure the fail safe of application layer data, improves the protective capacities that network is attacked DDOS.
A kind of distributed denial of service attack means of defence that the embodiment of the invention provides comprises:
Timing scan is protected one or more ports of server, confirms the COS of said port;
COS according to said port generates corresponding said by the service strategy of protection server;
Utilize said service strategy to filter to visiting said stream by the protection data in server;
Said timing scan is protected one or more ports of server, confirms that the COS of said port comprises:
Select to be checked by one or more ports of protection server whether said port is in open state;
Send predetermined packet to the port that is in open state;
The packet that returns according to said port is confirmed the COS of said port.
A kind of distributed denial of service attack guard system that the embodiment of the invention provides comprises:
Scanning means is used for one or more ports that timing scan is protected server, confirms the COS of said port; And generate corresponding said by the service strategy of protection server according to the COS of said port;
Cleaning device utilizes said service strategy to filter visiting said stream by the protection data in server;
Said scanning means comprises:
The port selected cell is used to select to be protected one or more ports of server;
The status checkout unit is used to check whether said port is in open state;
COS is confirmed the unit, is used for to confirming that through said status checkout unit inspection the port that is in open state sends predetermined packet, and the packet that returns according to said port is confirmed the COS of said port;
The strategy generation unit is used for generating corresponding said by the service strategy of protection server according to the COS of said port.
A kind of scanning means that the embodiment of the invention provides comprises:
The port selected cell is used to select to be protected one or more ports of server;
The status checkout unit is used to check whether said port is in open state;
COS is confirmed the unit, is used for to confirming that through said status checkout unit inspection the port that is in open state sends predetermined packet, and the packet that returns according to said port is confirmed the COS of said port;
The strategy generation unit is used for generating corresponding said by the service strategy of protection server according to the COS of said port.
Distributed denial of service attack means of defence and system that the embodiment of the invention provides; Protected the port of server through timing scan; Confirm the COS of said port; COS according to said port generates the corresponding said service strategy of being protected server, utilizes said service strategy to filter visiting said stream by the protection data in server.Thereby can prevent the application service flood attack on the similar UDP of stateless service, guarantee the safety of application layer data, improve the protective capacities that network is attacked DDOS.
Embodiment
In order to make those skilled in the art person understand the scheme of the embodiment of the invention better, the embodiment of the invention is done further to specify below in conjunction with accompanying drawing and execution mode.
As shown in Figure 2, be the flow chart of embodiment of the invention distributed denial of service attack means of defence, mainly may further comprise the steps:
Step 201, timing scan are protected the port of server, confirm the COS of said port;
Protected the port of server in scanning; When confirming the COS of said port; Can select to be protected one or more ports of server; Check whether said port is in open state, send predetermined packet to the port that is in open state then, the packet that returns according to said port is confirmed the COS of said port;
When whether the said port of inspection is in open state, send a request message to said port, if receive the answer message of said port, can confirm that then said port is in open state;
In a network system, it is a plurality of to need protected server to have, and can be distributed in the different network segments.Like this, can be successively one or more ports of these servers be scanned, confirm the COS of each port;
Certainly, need the server of scanning and these information of port of server, can be pre-configured, can it be left in the listing file, when needing scanning, the address of from this listing file, reading each server is successively scanned;
Step 202, corresponding said according to the COS generation of said port by the service strategy of protection server;
Said service strategy can comprise following a kind of or multiple arbitrarily: illegal ports filter, protocol contents inspection, protocol data speed limit; Certainly, the embodiment of the invention is not limited in these several kinds, can also generate thinner service strategy;
Step 203 utilizes said service strategy to filter visiting said stream by the protection data in server.
Such as, at first carry out illegal ports filter, the data flow of visiting the not open port is directly abandoned; The data flow of access open port is carried out the protocol contents inspection, promptly utilize the protocol format of application protocol to carry out the data packet format verification, incongruent packet directly abandons; In addition, can also further carry out the protocol data speed limit and handle, such as, the service priority of confirming according to the importance and the user of service dynamically generates the speed limit threshold value of each service, and assurance user's important flow can preferentially pass through.
It is thus clear that; The embodiment of the invention is through scanning quilt protection server; COS according to said port generates the corresponding said service strategy of being protected server, thereby can be filled into some invalid datas streams of this port of flowing through according to its port type, even to visiting the stateless data such as UDP that this is protected server; Also can filter, thereby guarantee by the safety of protection server according to corresponding service strategy.
Mention in front, in a network system, it is a plurality of to need protected server to have, and can be distributed in the different network segments.To this situation, can the server that need scanning and these information of port of server be left in the listing file, when needing scanning, the address of from this listing file, reading each server is successively scanned.
Fig. 3 shows the flow chart to being scanned by the protection server in the embodiment of the invention method, mainly may further comprise the steps:
Step 301 reads the server list file;
Step 302, the address of reading server in the file;
Step 303 checks whether one or more ports of said server are in open state; If, execution in step 304; Otherwise execution in step 306;
Step 304 is sent predetermined packet to the port that is in open state;
Step 305, the packet that returns according to said port is confirmed the COS of said port;
Whether step 306 also has server to be scanned in the inspection server list file; If then execution in step 302; Otherwise execution in step 307;
Step 307 is according to the service strategy of corresponding each server of scanning result generation.
Need to prove, mainly can solve the application service flood safety problem on the similar UDP of stateless service through the service strategy that generates, guarantee the safety of application layer data.
The method of the embodiment of the invention; Can carry out real time filtering to visiting said stream by the protection data in server; And owing to be according to the TCP result who is protected server is generated corresponding service strategy; Thereby can be filled into the application service flood attack on the similar UDP of stateless service, and illegal application data according to this service strategy.Also can combine existing protection algorithm to three layers, four layers simultaneously, realize protection simultaneously three layers, four layers and application layer.
Such as, test access is said by protection data in server stream in real time, if find that the attack data are arranged in the said data flow, then according to preset protection algorithm said data flow is cleaned.
When concrete the realization; A cleaning center can be set; When in finding said data flow, the data of attack being arranged; The notice cleaning center will be visited said stream by the protection data in server by cleaning center notice core router and will be directed to this cleaning center, said data flow cleaned according to preset protection algorithm by cleaning center.Said preset protection algorithm can be conventional protection algorithm to three layers, four layers.Simultaneously, also need the service strategy that generate also be sent to cleaning center.Like this; After cleaning center is cleaned said data flow according at first preset protection algorithm; And then according to said service strategy the data flow after cleaning is filtered, thereby both can guarantee to be protected the fail safe of server, can improve the treatment effeciency of cleaning center again.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to accomplish through program; Described program can be stored in the computer read/write memory medium; Described storage medium, as: ROM/RAM, magnetic disc, CD etc.
As shown in Figure 4, be the structural representation of embodiment of the invention distributed denial of service attack guard system.
This system comprises: scanning means 401 and cleaning device 402.Wherein, scanning means 401 is used for the port that timing scan is protected server, confirms the COS of said port; And generate corresponding said by the service strategy of protection server according to the COS of said port; Cleaning device 402 utilizes said service strategy to filter visiting said stream by the protection data in server.
To the situation that the protected server of a plurality of needs is arranged in network; Said system can further include: storage device 403; Be used for storage by the protection server list; Protected the IP address that comprises server in the server list at this, also can further be comprised the port that each server need scan.Certainly, the port that each server need scan also can be made as default value, such as, all of the port of scanning server perhaps only scans http port (default value is 80) etc.
Preferably, said scanning means 401 comprises: port selected cell 411, status checkout unit 412, COS are confirmed unit 413 and tactful generation unit 414.Wherein:
Port selected cell 411 is used for selecting said by one or more ports of being protected server of protection server list; Status checkout unit 412 is used to check whether said port is in open state; COS confirms that unit 413 is used for to confirming that through said status checkout unit inspection the port that is in open state sends predetermined packet, and the packet that returns according to said port is confirmed the COS of said port; Strategy generation unit 414 is used for generating the corresponding said service strategy of being protected server according to the COS of said port, and said service strategy can comprise following a kind of or multiple arbitrarily: illegal ports filter, protocol contents inspection, protocol data speed limit.Certainly, the service strategy in the embodiment of the invention is not limited in these several kinds, according to the practical application needs, can also generate thinner service strategy.
Utilize embodiment of the invention distributed denial of service attack guard system; Can realize protection to the DDOS attack; Application service flood safety problem on the similar UDP of solution stateless service; Guarantee the safety of application layer data, detailed process can be given unnecessary details at this with reference to the description among the inventive method embodiment of front no longer in detail.
As shown in Figure 5, be the another kind of structural representation of embodiment of the invention distributed denial of service attack guard system.
Be that with difference embodiment illustrated in fig. 4 in this embodiment, said system also comprises: supervising device 404, it is said by protection data in server stream to be used for real-time test access, and after in finding said data flow, the data of attack being arranged, notice cleaning device 402.Like this, cleaning device 402 can also clean said data flow according to preset protection algorithm, and said preset protection algorithm can be conventional protection algorithm to three layers, four layers.
Utilize embodiment of the invention distributed denial of service attack guard system, can realize protection simultaneously three layers, four layers and application layer.Not only can guarantee to be protected the fail safe of server, and can improve the treatment effeciency of cleaning center.
When concrete the application, embodiment of the invention distributed denial of service attack guard system and can have multiple mode in the network being connected of equipment.
As shown in Figure 6, be a kind of application networking sketch map of embodiment of the invention distributed denial of service attack guard system.
In this networking mode; Embodiment of the invention distributed denial of service attack guard system 60 is serially connected on the networking between router 67 and the router 65; Cleaning device 602 wherein is used for visit is cleaned by the data flow of protection server 61,62,63,64 in real time, attacks to prevent three layers, four layers DDOS.Simultaneously; Scanning means 601 in the said system 60 is regularly scanned by the protection server said through router 65; And generating corresponding service strategy, cleaning device 602 filters the data flow after cleaning according to this service strategy, such as; At first carry out illegal ports filter, the data flow of visiting the not open port is directly abandoned; The data flow of access open port is carried out the protocol contents inspection, promptly utilize the protocol format of application protocol to carry out the data packet format verification, incongruent packet directly abandons; In addition, can also further carry out the protocol data speed limit and handle, such as, the service priority of confirming according to the importance and the user of service dynamically generates the speed limit threshold value of each service, and assurance user's important flow can preferentially pass through.
As shown in Figure 7, be that the another kind of embodiment of the invention distributed denial of service attack guard system is used the networking sketch map.
In this networking mode; Embodiment of the invention distributed denial of service attack guard system 70 is through the up-downgoing data flow of parallel way real-time listening network; Various detection algorithms can be set in supervising device 703 to be analyzed, judges the network data that listens to; In case judging has the attack data, then notifies cleaning device 702.Cleaning device 702 can be communicated by letter with the core router in the network; Just send an information of upgrading route to the upper strata router after having notice; Downlink data just can pass through cleaning device 702 like this, and cleaning device 702 cleans downstream data flow with the protection algorithm that presets according to the testing result of supervising device 703.Simultaneously, scanning means 701 regularly scans quilt protection server 71,72,73 through the core router in the network, and generation is protected the service strategy of server corresponding to each according to scanning result, and said service strategy is sent to cleaning device 702.Like this, cleaning device 702 further filters the data flow after cleaning according to this service strategy, such as, at first carry out illegal ports filter, the data flow of visiting the not open port is directly abandoned; The data flow of access open port is carried out the protocol contents inspection, promptly utilize the protocol format of application protocol to carry out the data packet format verification, incongruent packet directly abandons; In addition, can also further carry out the protocol data speed limit and handle, such as, the service priority of confirming according to the importance and the user of service dynamically generates the speed limit threshold value of each service, and assurance user's important flow can preferentially pass through.Like this, not only can guarantee to be protected the fail safe of server, and can improve the treatment effeciency of cleaning center.
Visible by the foregoing description, no matter which kind of networking mode utilizes embodiment of the invention distributed denial of service attack guard system, can realize protection simultaneously to three layers, four layers and application layer.
The embodiment of the invention also provides a kind of scanning means, and is as shown in Figure 8, is the structural representation of this scanning means.
In this embodiment, said scanning means comprises: port selected cell 801, status checkout unit 802, COS are confirmed unit 803 and tactful generation unit 804.Wherein, port selected cell 801 is used to select to be protected one or more ports of server; Status checkout unit 802 is used to check whether said port is in open state; COS is confirmed unit 803, is used for to confirming that through said status checkout unit inspection the port that is in open state sends predetermined packet, and the packet that returns according to said port is confirmed the COS of said port; Strategy generation unit 804 is used for generating the corresponding said service strategy of being protected server according to the COS of said port, and said service strategy comprises following a kind of or multiple arbitrarily: illegal ports filter, protocol contents inspection, protocol data speed limit.
Utilize the scanning means of the embodiment of the invention, can scan, confirm the COS of said port, and generate corresponding said by the service strategy of protection server according to the COS of said port by the port of protection server.Concrete scanning process can be with reference to the description in the method for the front embodiment of the invention.
The embodiment of the invention also provides a kind of cleaning device, and is as shown in Figure 9, is the structural representation of this cleaning device.
In this embodiment, said cleaning device 900 comprises: filter element 901 and cleaning unit 902.Wherein, filter element 901, the service strategy that is used to utilize in advance the COS according to Service-Port to generate is filtered by protection data in server stream visit; Cleaning unit 902 is used for according to preset protection algorithm being cleaned by the attack data of protection data in server stream.
Wherein, the generation of service strategy can have multiple implementation, and is same, and preset protection algorithm also can have multiple.Utilize the cleaning device of the embodiment of the invention, can realize protection simultaneously, guarantee by the fail safe of protection server to three layers, four layers and application layer.
More than the embodiment of the invention has been carried out detailed introduction, used embodiment among this paper the present invention set forth, the explanation of above embodiment just is used for help understanding method and apparatus of the present invention; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as limitation of the present invention.